The Maine government has confirmed that personal information of over a million individuals was stolen in a data breach earlier this year, orchestrated by a ransomware gang with alleged ties to Russia. The breach exploited a vulnerability in the state’s MOVEit file-transfer system, leading to unauthorized access and download of files from certain state agencies between May 28 and May 29.
The compromised data, as outlined in the government’s statement, may include individuals’ names, dates of birth, Social Security numbers, driver’s license details, and other state or taxpayer identification numbers. Additionally, some affected individuals had their medical and health insurance information compromised. The state clarified that the information it holds varies for each resident, depending on factors such as residency, employment, or interactions with state agencies.
According to the breakdown of affected agencies provided by the state, over half of the stolen data pertains to Maine’s Department of Health and Human Services, with approximately a third impacting the Department of Education. The remainder affects various other agencies, including the Bureau of Motor Vehicles and the Department of Corrections.
With a population of more than 1.3 million people in the state, this incident marks the latest disclosure in connection to the MOVEit mass hack, considered one of the largest hacking incidents of the year based on the sheer number of victims.
MOVEit systems, widely used for transferring sensitive data, became a focal point of cybercriminals earlier this year. Progress Software, the system’s maker, addressed a vulnerability that allowed the notorious Clop ransomware gang to conduct a mass hack affecting organizations worldwide. Cybersecurity firm Emsisoft reports that more than 2,500 organizations have disclosed MOVEit-related breaches, impacting at least 69 million individuals.
The Maine government’s security incident ranks as the eleventh largest MOVEit-related breach disclosed at the time of reporting, joining other affected entities such as Ontario’s birth registry, and the states of Colorado, Oregon, and Louisiana. Notably, several U.S. federal agencies, including the Department of Energy, were also affected.
While the Clop gang has not listed Maine on its leak site, the potential consequences remain serious. Ransomware gangs often publish portions of stolen files to pressure organizations into paying a ransom. Progress Software recently disclosed that the U.S. Securities and Exchange Commission has subpoenaed the company for information related to the MOVEit vulnerability, and the company has expressed its commitment to fully cooperate with the investigation.